Service access
How production apps are exposed and authenticated. Use this when adding a Traefik router or a new stack. For the auth components (Authelia, LLDAP, and deprecated IdPs), see Authentication.
Layers
| Layer | Scope | Role |
|---|---|---|
Traefik (*.dripdrop.pro) | Internet / HTTPS | TLS, routing, CrowdSec on websecure |
Authelia (authelia middleware) | Per-router | Forward-auth; rules in ${DOCKER_APPDATA}/authelia/config/configuration.yml |
| App-native auth | Inside the app | Login UI, OIDC client, or API keys |
| Host-published ports | LAN / Tailscale | Direct to the NAS; bypasses Traefik and CrowdSec |
| Docker networks | Container-to-container | Per-stack isolation; databases are not published publicly |
CrowdSec AppSec is configured fail-open when the AppSec component is down or returns an error (see Infrastructure). IP reputation bans from the LAPI still apply when CrowdSec is healthy.
Access patterns
| Pattern | Traefik | Who can access | Examples |
|---|---|---|---|
| Authelia forward-auth | authelia middleware (optionally admin-only in Authelia rules) | Authenticated users per access_control | Sonarr, Radarr, Grafana, Homepage, LLDAP UI |
| App login (public URL) | No Authelia | Anyone with app credentials | Jellyfin, Seerr, Nextcloud, Navidrome |
| OIDC via Authelia | No forward-auth; app handles login | Users who complete Authelia OIDC in the app | Open WebUI (ollama.dripdrop.pro) |
| Public dashboard | No Authelia | Anyone who can reach the URL | Gatus (gatus.dripdrop.pro) |
| App login (own UI) | No Authelia | Users with Healthchecks credentials | Healthchecks |
| Public site | No Authelia | Internet | Dripdrop (dripdrop.pro) |
| API without forward-auth | Separate router, often PathRegexp('^/api') | API key or app auth | Sportarr /api, Sonarr/Radarr/Bazarr API routers, qBittorrent API |
Grafana uses the authelia middleware with an admin-only Authelia rule. Inside
the container, anonymous admin is enabled so authenticated users do not need a
second Grafana login.
Monitoring
| Tool | What it covers |
|---|---|
Gatus (builds/gatus/config.yaml) | Authelia-protected URLs (expects 401 + Authelia body) and internal docker-net health |
| Uptime Robot | Public and OIDC user-facing URLs (Jellyfin, Seerr, Nextcloud, Navidrome, Open WebUI, Dripdrop, …) |
Do not duplicate Uptime Robot checks in Gatus unless you want Discord alerts on the same failure twice.
Adding a new service
- Pick a pattern above (admin tool → Authelia; family app → app login; etc.).
- Add Traefik labels in the stack's
docker-compose*.yaml(exposedByDefaultisfalse— settraefik.enable: "true"explicitly). - For Authelia-protected services, add a matching
access_controlrule in Authelia config and theautheliamiddleware on the router. - Add Gatus protected + internal checks for non-public admin services, or Uptime Robot for public user-facing URLs.
- Host-published ports are intentional for LAN/Tailscale (Jellyfin, VMs, Ollama API, etc.); they are outside the Traefik/CrowdSec path by design.